fix: production deployment hardening
Some checks failed
Deploy to Production / Deploy to 192.168.1.190 (push) Has been cancelled
Some checks failed
Deploy to Production / Deploy to 192.168.1.190 (push) Has been cancelled
Docker: - Restrict PostgreSQL port to 127.0.0.1 only (not exposed to LAN) - Add APP_BASE_URL for MCP server to reach Next.js via Docker network - Fix MCP healthcheck (remove always-passing fallback) - Add resource limits to mcp-server container Dockerfile: - Remove full node_modules copy (standalone already includes deps) Reduces image size by ~500MB+ Config: - Add MCP_SERVER_MODE and MCP_SERVER_URL to deploy.sh and .env.docker.example - Deploy script now auto-sets MCP_SERVER_URL based on NEXTAUTH_URL Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -41,6 +41,9 @@ POSTGRES_PASSWORD=memento
|
|||||||
# Mode: 'stdio' (Claude Desktop, Cline) or 'sse' (N8N, HTTP)
|
# Mode: 'stdio' (Claude Desktop, Cline) or 'sse' (N8N, HTTP)
|
||||||
MCP_MODE="stdio"
|
MCP_MODE="stdio"
|
||||||
MCP_PORT="3001"
|
MCP_PORT="3001"
|
||||||
|
# Frontend MCP settings (for the MCP settings panel in the web UI)
|
||||||
|
# MCP_SERVER_MODE="sse"
|
||||||
|
# MCP_SERVER_URL="http://YOUR_IP:3001"
|
||||||
|
|
||||||
# =============================================================================
|
# =============================================================================
|
||||||
# AI PROVIDER - TAGS GENERATION
|
# AI PROVIDER - TAGS GENERATION
|
||||||
|
|||||||
@@ -13,7 +13,7 @@ services:
|
|||||||
volumes:
|
volumes:
|
||||||
- postgres-data:/var/lib/postgresql/data
|
- postgres-data:/var/lib/postgresql/data
|
||||||
ports:
|
ports:
|
||||||
- "5432:5432"
|
- "127.0.0.1:5432:5432"
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-memento}"]
|
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-memento}"]
|
||||||
interval: 5s
|
interval: 5s
|
||||||
@@ -79,14 +79,23 @@ services:
|
|||||||
# DATABASE_URL is auto-constructed from PostgreSQL credentials (not in .env.docker)
|
# DATABASE_URL is auto-constructed from PostgreSQL credentials (not in .env.docker)
|
||||||
- DATABASE_URL=postgresql://${POSTGRES_USER:-memento}:${POSTGRES_PASSWORD:-memento}@postgres:5432/${POSTGRES_DB:-memento}
|
- DATABASE_URL=postgresql://${POSTGRES_USER:-memento}:${POSTGRES_PASSWORD:-memento}@postgres:5432/${POSTGRES_DB:-memento}
|
||||||
- NODE_ENV=production
|
- NODE_ENV=production
|
||||||
|
- APP_BASE_URL=http://memento-note:3000
|
||||||
depends_on:
|
depends_on:
|
||||||
postgres:
|
postgres:
|
||||||
condition: service_healthy
|
condition: service_healthy
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
networks:
|
networks:
|
||||||
- memento-network
|
- memento-network
|
||||||
|
deploy:
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpus: '1'
|
||||||
|
memory: 512M
|
||||||
|
reservations:
|
||||||
|
cpus: '0.25'
|
||||||
|
memory: 128M
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ["CMD-SHELL", "wget --spider -q http://localhost:3001/ || node -e \"console.log('healthy')\""]
|
test: ["CMD-SHELL", "wget --spider -q http://localhost:3001/ || exit 1"]
|
||||||
interval: 30s
|
interval: 30s
|
||||||
timeout: 10s
|
timeout: 10s
|
||||||
retries: 3
|
retries: 3
|
||||||
|
|||||||
@@ -52,7 +52,6 @@ COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
|
|||||||
COPY --from=builder /app/prisma ./prisma
|
COPY --from=builder /app/prisma ./prisma
|
||||||
RUN chown -R nextjs:nodejs /app/prisma
|
RUN chown -R nextjs:nodejs /app/prisma
|
||||||
COPY --from=builder --chown=nextjs:nodejs /app/node_modules/.prisma ./node_modules/.prisma
|
COPY --from=builder --chown=nextjs:nodejs /app/node_modules/.prisma ./node_modules/.prisma
|
||||||
COPY --from=builder --chown=nextjs:nodejs /app/node_modules ./node_modules
|
|
||||||
|
|
||||||
USER nextjs
|
USER nextjs
|
||||||
|
|
||||||
|
|||||||
@@ -165,6 +165,8 @@ POSTGRES_PASSWORD="${pg_pass}"
|
|||||||
# MCP Server
|
# MCP Server
|
||||||
MCP_MODE="sse"
|
MCP_MODE="sse"
|
||||||
MCP_PORT="3001"
|
MCP_PORT="3001"
|
||||||
|
MCP_SERVER_MODE="sse"
|
||||||
|
MCP_SERVER_URL="${url}:3001"
|
||||||
|
|
||||||
# AI - Tags
|
# AI - Tags
|
||||||
AI_PROVIDER_TAGS=${ai_tags_provider}
|
AI_PROVIDER_TAGS=${ai_tags_provider}
|
||||||
|
|||||||
Reference in New Issue
Block a user